- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-25-2016 06:19 AM
Hi,
I try to configure path for users to access the Internet. I use Palo Alto and squid. But not everything works as I expected.
The path:
user---Palo Alto ---squid ---Internet.
Squid is behind Palo Alto because of citrix users. I want to control citrix users access and in scenario: user---squid---Palo Alto--Internet, it's not possible. Squid changes source ports.
Captive portal and decryption are configured.
Everything works for unknown users who reach http. User authentication by kerberos protocol succeed. If known user opens https, traffic is decrypted and website is loaded correctly with certificate from Palo Alto.
But when unknown user tries to open https Palo Alto doesn't redirect him to captive portal.
On user station wireshark shows:
user: connect website:443
PA: 200 connection established
user: Client Hello
PA: Server Hello
PA: Certificate
user: Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
PA: Change Cipher Spec, Encrypted Handshake Message
user: Application Data (GET website)
PA: sometimes ACK.
After this Palo Alto sends RST to squid and client station (Chomre shows connection reset), sometimes communication just stops (page loads into infinity)
PAN-OS 7.1.2
Tryed this with user-squid-PA-Internet, the same problem.
Any idea why this happens?
Thank you for any help.
08-25-2016 11:35 PM
I set up captive portal browser-challenge rule, enabled captive portal with SSL/TLS Service Profile and Authentication Profile in redirect mode, on zone enabled User Identification, on inteface set up management profile with permitted Response Pages.
I think thats all I need for captive portal.
08-31-2016 01:22 AM
After few tests I discoverd the problem occurs when https is tunneling. Maybe palo alto has problem with decryption and redirection when https goes via another port e.g. 8080.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!